The process of getting a CA-signed certificate imported for the VASA providers will be as follows:
- Generate a CSR from the FlashArray CLI and copy down the request.
- As the FlashArray does not allow setting Subject Alternate Names in generated CSRs, the CA will need to have the ability to set the SAN for the Certificate. Make sure that the CA that is going to sign the certificates has that option.
- Provide the CSR's to the CA with the appropriate SAN entry.
- Import the signed certificates to vasa-ct0 and vasa-ct1.
In the example below, a Microsoft Certificate Authority is used to sign the certificate through the Web service. In order to set SAN entries, the option had to be enabled, as it is disabled by default. Consult with your Security Team that manages the Certificate Authority and make sure that they know that a SAN entry for the IP address must be included. See these two articles for more information: Microsoft KB 1 and Microsoft KB 2.
As noted, by default the ability to set SAN entries in the Web Enrollment for the Microsoft CA is disabled. While it can be enabled (you can search for articles about "EDITF_ATTRIBUTESUBJECTALTNAME2" to find the posts detailing how), Microsoft does not recommend doing so or leaving it enabled (see the second KB linked). Currently, Everpure is working to add the ability to generate a CSR with SAN entries to the purecert command. Once that work is complete, then manually entering the SAN entry in the certificate request will not be required.
Creating a Certificate Signing Request (CSR) from the FlashArray
The first step is to create a CSR for vasa-ct0 and vasa-ct1 from the FlashArray CLI. This can be done as any array admin user or as the local array admin user. The pureuser account is used in the example.
- SSH into the FlashArray as an Array Admin user.
Once logged into the FlashArray, CLI the FA Certificates can be viewed or checked using the purecert command.$ ssh pureuser@10.21.88.116 pureuser@10.21.88.116's password: Welcome pureuser. This is Purity Version 5.3.0 on FlashArray sn1-405-c12-21 http://www.purestorage.com/ pureuser@sn1-405-c12-21>pureuser@sn1-405-c12-21> purecert list Name Status Key Size Issued To Issued By Valid From Valid To Country State/Province Locality Organization Organizational Unit Email Common Name management imported 4096 10.21.88.116 CA 2019-06-05 17:49:10 PDT 2021-06-04 17:49:10 PDT US California Mountain View Pure Solutions Solutions - 10.21.88.116 vasa-ct0 imported 4096 10.21.88.117 CA 2019-06-05 17:41:47 PDT 2021-06-04 17:41:47 PDT US California Mountain View Pure Solutions Solutions - 10.21.88.117 vasa-ct1 imported 4096 10.21.88.118 CA 2019-06-05 17:43:22 PDT 2021-06-04 17:43:22 PDT US California Mountain View Pure Solutions Solutions - 10.21.88.118 - Generate a CSR for vasa-ct0 and copy down the CSR in notepad and/or paste it into a new .csr file.
pureuser@sn1-405-c12-21> purecert construct --certificate-signing-request --common-name 10.21.88.117 --country US --state California --locality 'Mountain View' --organization 'Pure Storage' --organizational-unit 'Solutions Engineering' vasa-ct0 -----BEGIN CERTIFICATE REQUEST----- MIIC0DCCAbgCAQAwgYoxFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMR4wHAYDVQQLDBVTb2x1dGlvbnMgRW5n aW5lZXJpbmcxFTATBgNVBAMMDDEwLjIxLjg4LjExNzEXMBUGA1UECgwOUHVyZSBT b2x1dGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDXfefnc1t QsSGKLhZpPS4oUU9Y7m/NH+MZ1GzuujA7pTbQvcnXKXcTUgAg6CEtcxslwfx2v/r hwIA9Sp0/WzCMOGS2l1CloKaIjSVgmXma8BEpAxsNI9NIZ/qtfkP75N9Ai5yeSJb 40m8/4q5yRNbs4DdGjSXDu4p5kGfeLL0IZiUngQZZUdgVEkKmaWdkG4mjMsmx+ND HclN0b+7gWaphOM4j3RUVBvk3H5qYYkRgGgnprCMucewG/RZqwDjQCTdYjYboqbw GPJj2/Lu6c4uiOOtNHdlRp0GMjioMnw3J8GQ2thsWhpS8Aq6e30c3Z1Hyk8En3Y2 8S1OA/MIMsQvAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEARUxJUl4bqwQvIcNj pmswd0VtgkmpKYzcQRXGSH1/T3fiIOkY3DAynY+nO4n/qi8AqHIjmoRHhg2VW23i zAiwdqaEvqMcbMhUZF69Ouziz7pswaXP4W5U5ZJ3nqERHoWAtcxvOgKi6ww0u6OL bBE0sWPZy/AaQVep39y7kXCIBfZJzlHBb4oIy9opfd9TqcqnIgkYCddSbxUKNL0/ 0FPTuzii2Q7WTHphlTeJdd+rluWSc06GaB4F8+x9OXfn/cGXzX+XdK8tIZdtdV/y AlEXepRtiX6JQsnji0DkJKBnY0i3dkwdkhdX5EM1cWQqWbHB9Bj6gHcbA55vgMRH CFbZgA== -----END CERTIFICATE REQUEST----- - Repeat for vasa-ct1.
pureuser@sn1-405-c12-21> purecert construct --certificate-signing-request --common-name 10.21.88.118 --country US --state California --locality 'Mountain View' --organization 'Pure Storage' --organizational-unit 'Solutions Engineering' vasa-ct1 -----BEGIN CERTIFICATE REQUEST----- MIICzjCCAbYCAQAwgYgxFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMR4wHAYDVQQLDBVTb2x1dGlvbnMgRW5n aW5lZXJpbmcxFTATBgNVBAMMDDEwLjIxLjg4LjExODEVMBMGA1UECgwMUHVyZSBT dG9yYWdlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6LwIcLg68qmn jnMKBUanqrUAzCmySBME2qyMY86ZY+OAs3g6EwmLVE5DuQlXBTfonVgUGPCXm8k/ 30rWwvQUgOXKk161VWCGGixI7rPQrXKeBNpCeaLvQSIqySdnUtv1BU1MTkQuN4Xr 76oMX4NWRtfRj/aUPZB+5vqBAAZTT7IVtx1WHEy13x0G4WUU3Mq3M33lXljEjDLc JjCFTZB6pI0Fc5nVBe9MpAVTNTDs8Vs14VC7cBlIekFVIBnw/AitZeJ6lZUSKbDc fasPiAS57jlwX8/dlTSqveAcndh3BZtIPOlEOAvr4G7/vYhhnnOVIs9P1V6RBAgU 0JaNQ+RXjQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAEs1s36poZ1hb1LvFg2J 6QTkdliQcasXu28Mcrut4us0QSQ4EzahGEYu33AhQYLhSarZtOhvMgFkYjvQMkPK bg2mnr04/F35PzO4r0fehQLRcAFj25R/5djohlQg7w/9CJqPy81CwpCDNvoBwX0o pO8vp9yXpTwpCau7BAm5VO9WgNQgEP9XZAnVpEFfnXz7VLUn6OeDdjIwCsMXVu65 qX83sjYGa6wTRbpI7jFxG8wM/D8FJxbhuySFH9nxt4BAAkp8wYOxBn32Mp/2CKbu Y0HQLbwrmRMcYt76EMYSjm1pjQohEr14rrDvd8PqifUxpuq5kgjhr2Or6FhBYTgJ ANQ= -----END CERTIFICATE REQUEST-----
Now that the CSRs are generated and saved, the next step is getting a self-signed certificate or signed certificate.
Signing the CSR
The process of getting the Certificate Authority to sign the CSR will depend on what type of Certificate Authority your environment has. Consult your security team or the team managing the certificates for the process to submit the certificate requests. In the example below the CSR is signed by a Microsoft CA.
- Navigating to the CA websrv, the CSR and SAN are provided.
Request a new certificate
Then submit an advanced certificate request
In the request the CSR is provided along with the SAN for the IP address of the controller
Download the base 64 certificate once the certificate is generated
- Repeat the same steps for vasa-ct1.
-
Once both certificates are issued, open both of them up in a text editor, such as notepad/notepad++, and copy down the certificates.
Both vasa-ct0 and vasa-ct1's certificates can now be imported as they are signed and saved.
Importing the Signed Certificate
Much like the self-signed certificate process, this must be done from the FlashArray CLI. The difference is that the private key does not need to be provided.